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Abstract 

A new method to derive Multivariate Quadratic equation systems 
(MQ) for the input and output bit variables of a cryptographic S-box 
from its algebraic expressions with the aid of the computer mathe¬ 
matics software system SageMath is presented. We consolidate the 
deficiency of previously presented MQ metrics, supposed to quantify 
the resistance of S-boxes against algebraic attacks. 
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1 Overview 

We present a new automated way to produce and investigate Multivariate 
Quadratic equation systems (MQ) over GF{2) for the Rijndael S-box (Srd) 
and alikes. In the next we hrst shortly survey the principles of Srd in section 
2. Recently, lie Cui et al. [6] claimed to have presented a new and concise 
approach for generating such MQ for Srd and also to have proposed a cryp¬ 
tographically more secure S-box. In section 3 we depict the derivation of Cui 
et al. In section 4 we present our automated way to produce the MQ for Srd 
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aided by the computer mathematics software system SageMath [1], As we 
demonstrate later, this method can be applied for other proposed S-boxes, 
alleged to be cryptographically stronger. We also generate the Grobner bases 
describing the two different S-boxes and calculate solutions of all equation 
systems with the help of a SAT solver. In section 5 we investigate, critically 
discuss, and dismiss equation-metrics-based criteria as inappropriate to esti¬ 
mate the resistance against algebraic attacks (RAA) of an S-box. In sections 
6 and 7 we build MQ for the S-box proposed by Jie Cui et al. [6] and show 
why this is not an improvement. The complicated algebraic expression for 
the S-box constructed by Cui et al. leads to a great number of equations 
and independent monomials in the resulting MQ. On the basis of the RAA 
formulas the new S-box should demonstrate a remarkable robustness against 
algebraic attacks. But from that same S-box can be derived a much simpler 
MQ leading to a polynomial system nearly as easy solvable as that of the 
original Srd- This is what we do in section 7 greatly facilitated by SageMath. 

Our main contribution is the demonstration of the handiness which Sage- 
math offers to the researcher so that he can derive his MQ and its metrics 
in a fast way and transparently verify the quality of existing formulas sup¬ 
posed to quantify resistance of the MQ to algebraic attacks. In conclusion, 
we couldn’t validate the predicted reduced hardness for a system to solve 
with increasing number of equations and number of independent monomials 
in the polynomial systems according to suggested RAA formulas. 


2 Principle of Rijndael S-box RD 

We shortly repeat its well known principles and algebraic properties [8]. 
Looking upon 8-bit bytes as elements in GF(2®), Rijndael’s S-box is a map¬ 
ping S : GF{2^) GF{2^) in form of a combination of an inverse func¬ 

tion J(x) which is a multivariate inverse modulo the irreducible polynomial 
m{t) = F + t^ + + t + l and an affine transformation function A(x). x is a 

byte variable consisting of bits Xi{i = 0,... ,7), with xj symbolizing the most 
signihcant bit: x = The modular inverse function J(x) is dehned 

as: 

J(x) = x^^"^ modm(f) (1) 

i.e., the modular inverse of 0 is mapped to 0. According to the AES design[9], 
the affine transformation A(x) can also be described as a modular polynomial 
multiplication followed by an addition (XOR) of a constant polynomial: 

A(x) = axmod(t® -I- 1) -I- b (2) 
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with a = ’IF’ and b = ’63’. A two-digit hexadecimal number stands for a 
constant byte, that is a polynomial in t, e.g, ’63’ for t^ + t^ + t + 1. The 
Rijndael S-box can be written as: 

'S'rd(x) = A O / = A(/(x)) (3) 

3 Rijndael S-box explored by Cui et al. 

Cui et al. [6] (as Courtois and Pieprzyk [8] before them) utilize the Rijndael 
S-box composition (3) to derive an MQ for it. With x the input and z 
the output value, and the intermediate variable y = /(x) they note: z = 
*S'rd(x) = A(y) = A(J(x)). Considering the inverse transformation y = /(x), 
obviously xy = 1 when x not equal 0, which reads in polynomial form: 

modm(f) = 1 (4) 

The above modulo division is then analytically performed and a compar¬ 
ison of coefficients of terms of the same order in 0 < fc < 7, leads to the 
hrst eight multivariate quadratic equations for Rijndael S-box on the pages 
2483, 2484 of the paper of Cui et al. [6] The authors give all the steps and 
in-between results of the complete length of the calculation. They formulate 
and evaluate two additional equations of the byte variables to dehne the S- 
box completely. Doing so, Cui et al. replicate results already presented in 
2002 by Courtois and Pieprzyk in the extended version of [8]. 

4 Rijndael S-box coded in Sage 

SageMath or briefly Sage (System for Algebra and Geometry Experimenta¬ 
tion) is a free open-source software system for computer mathematics. [2] It is 
licensed under the Gnu General Public License. It builds on top of many ex¬ 
isting computer mathematics open-source packages. Their combined power 
is accessible through a common. Python-based language interface from the 
command line or a web browser. Originally, it is designed by William Stein, 
still the leader of the SageMath project, and also inventor of SageMath- 
Cloud [3] for collaborative computational mathematics. 

In order to work with polynomials like x = Sage provides mod¬ 

ules to construct rings of multivariate polynomials. The polynomials x, y, 
and z introduced in the previous section we model in Sage as follows.^ In 

^The complete code presented here together with its output is accessible at SageMath- 
Cloud [4]. 
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line 1 of listing 1 a variable for the number of bits is defined for convenience. 
In line 2 a list of strings for the names of the coefficients of the three byte 
polynomials is generated ([ ’ xO ’ , ’ xl ’, . ., ’ z7 ’ ]) . 

Listing 1: Byte polynomials over a quotient ring 

nb = 8 

varl = [c + str(p) for c in ’xyz’ for p in range(nb)] 

B = BooleanPolynomialRing (names = varl) 

B. inject_variables () 

P.<p> = PolynomialRing (B) 

Byte.<t> = P. quotient_ring (p~8 + p~4 + p~3 + p + 1) 

X = B. gens () [:nb] 

Y = B. gens () [nb:2*nb] 

X = sum( [X [ j]j for j in range(nb)]) 
y = Byte(list(Y)) 

In line 3 a Boolean polynomial ring for these coefficients is constructed which 
assigns GF{2) properties to them. In line 4 the coefficient names are made 
available as variables. In line 5 a polynomial ring over the Boolean polynomial 
ring B is constructed and from that, in line 6, the hnal quotient ring Byte 
with modulus m{t). In lines 7 and 8, lists^ of coefficient variables of the 
byte polynomials are created for convenience. With the help of these lists, 
in the last two lines the polynomials are modeled in two equivalent ways, x 
explicitly, and y by using the Byte constructor. 

Now one can already evaluate the product xy in Sage with the commands: 

E3 = X * y 
eqs3 = E3.list () 

In the second line we used the listO attribute to get the coefficients of 
each power of t in expression E3. Due to the usage of the quotient ring, E3 
is of degree 7, the length of list eqs3 (the number of coefficients) is 8. The 
terms we have gotten with Sage compare with the right-hand sides (rhs) of 
the system of equations with number (3) in the paper of Cui et al. [6]. 

Cui et al. proceeded with the generation of the next set of equations 
for Rijndael’s S-box, the affine transformation. From equation (2) setting 
z = A(y) it follows 

y = a’^(z-I-b) mod(t®-I-1) (5) 

since amod(t® -I- 1) = 1. Substituting (5) for y in xy we get the hnal form 
of the hrst implicit eight equations representing Rijndael S-box. In Sage the 
values substitution is accomplished with the help of a so called dictionary. 

^To be exactly, in Python these are tuples, i.e., immutable lists. 
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By using equation (5) the code in Listing 2 generates this dictionary, called 
eqs4. 

Listing 2: Generate a dictionary to substitute y variables 
Baff.<u> = P. quotient_ring (p~8 + 1) 

Z = B.geiis()[2*nb:][:nb] 
z = Baff(list(Z)) 
a = u~4 + u~3 + u~2 + u + 1 
b = u~6 + u~5 + u + 1 

eqs4 = dict(zip(Y, (a~7 * (z + b)).list())) 

The hrst line sets up a quotient ring modulo +1. The next four lines dehne 
the byte variable z and the two constant polynomials a and b in this ring 
(with generator u). The rhs of equation (5) simply reads a"7 * (z + b) in 
the code. The dictionary is constructed in the last line. The result is shown 
in Listing 3. 

Listing 3: Dictionary to substitute y variables 


{y7 

z6 

+ 

z4 

+ 

zl , 

y6 

z5 

+ 

z3 

+ 

zO , 

y5 

z7 

+ 

z4 

+ 

z2 , 

y4 

z6 

+ 

z3 

+ 

zl , 

y3 

z5 

+ 

z2 

+ 

zO , 

y2 

z7 

+ 

z4 

+ 

zl 

yi 

z6 

+ 

z3 

+ 

zO , 

yo 

z7 

+ 

z5 


z2 


The substitution of y in equation eqs3 via the dictionary succeeds with 
the following: 

eqs5 = [_. subs (eqs4) for _ in eqs3] 

The result is again a list, the members of which give the hrst set of eight 
multivariate quadratic equations of the S-box by setting the byte variable 
product equal to 1. This list of terms eqs5 is identical to the system of 
equations (5) of Cui et al. Those equations with zero constant term (7 out 
of 8 above) are true with probability equal to 1. The 8 th equation (the 
coefficient of t^) is true only when x 7 ^ 0 , so that this equation is true with a 
probability 255/256. Furthermore for Vx 7 ^ 0 x = x^y. Obviously this last 
equation is true also when x = 0 , so that one can write: 


VxG GF(2®)< 


X 

= yx^ 

X2 

= 

Xl28 

= y'^S 


( 6 ) 
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Cui et al. take the last of the above and write two symmetrical equations 
to generate an additional set of 16 equations for the Rijndael S-box. The 
equations they take are: 


X 


128 



y 


128 


(7) 


We develop the two last equations to get the needed additional 16 equations 
for the implicated variables. We also substitute in these equations y by using 
the dictionary in listing 3. 

E7 = x~128 + y~128 * x 

eqs7 = [_. subs (eqs4) for _ in E7.1ist()] 

The result is a list of terms which are practically the equations (7) of Cui et 
al. written in the reverse order than that of Cui’s paper. Cui et al. begin with 
the expression corresponding to the highest order term of E7 while the sage 
list begins with the constant term. These terms are identical with the rhs of 
equations (7) in Cui et al. [6] with a couple of minimal differences which we 
attribute to typographical errors in the paper of Cui et al. 

Similarly, we write: 

E8 = y~128 + x~128 * y 

eqs8 = [_. subs (eqs4) for _ in E8.1ist()] 

and, by setting these terms equal to 0, get the next block of eight equations 
for the Rijndael S-box which are to be compared with the system (8) of 
Cui et al. Here we see a couple of discrepancies which we again attribute to 
typographical mistakes in the reference paper. 

Using the Sage model of this S-box it is easy to count the number of 
equations, the number of terms in each equation and determining the minimal 
and maximal number of terms, as well as the total number of different terms, 
as shown in Listing 4. 


Listing 4: Survey of hrst S-box equation system 


mql = eqs5[l:] + eqs7 + eqs8 
len(mql) 

Imonl = [len(_. monomials ()) for _ in mql] 
min(Imonl) 
max(Imonl) 

Sequence (mql). nmonomials () 

As mentioned above, the hrst equation is discarded since it is only true with 
probability 255/256 (false if x = 0). This gives for the Rijndael S-box 23 
equations, with between 28 and 49 monomials per equation and, in total, 81 
different monomials. 
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Finding the 256 solntions of this eqnation system representing the valne 
table of the byte S-box with a SAT solver in Sage is accomplished with the 
following two lines of code: 

Listing 5: SAT solver usage 
from sage .sat.boolean_polynomials \ 
import solve as solve_sat 
"/otime r = solve_sat (mql , n=infinity) 

This takes ca. 0.6 s CPU time on a decent computer (2.8 GHz CPU, 8 GB 
RAM). As a point of reference we also evaluate the Grobner basis (GB) of 
this MQ and print the number of the basis equations, as well as the maximal 
degree and the number of its monomials: 

Listing 6: Grobner basis evaluation 
Idll = B. ideal(mql) 

"/otime mqlgb = Idll . groebiier_basis () 
print len(mqlgb) 
print mqlgb. maximal_degree () 
print mqlgb. nmonomials () 

The evaluation of the Grobner basis takes ca. 14 seconds, it has 8 equations 
of degree 7 with 263 different monomials. The solution of the basis equations 
with the SAT solver is about 4 times as fast as the solution of the MQ. 

Courtois and Pieprzyk [8] state that these 23 equations are linearly inde¬ 
pendent. Nonetheless, the last 16 equations (7) only, i.e. mq2 = eqs7 + eqs8, 
are already sufficient to evaluate the Grobner basis and to compute the S-box 
value table of 256 solutions with the SAT solver which takes ca. 0.7 s CPU 
time on the same computer. The 16 equations describing the Rijndael S-box 
have between 28 and 49 monomials per equation and, in total, 81 different 
monomials. 


5 Algebraic attacks and S-box optimization 


For quantifying the resistance against algebraic attacks for r equations in t 
terms over GF(2”) Cui et al. [6] have used the criterion of Cheon and Lee [11] 
which defines the Resistance against Algebraic Attacks (RAA) F as: 


F 


t — r\ 10 “’')/’^! 

n J 


( 8 ) 


Courtois and Pieprzyk [8] use another criterion 


kcp — 



(9) 
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(note the brackets [] in the exponent indicating the ceiling fnnction).^ The 
valne of these criteria should reflect the difficulty of solving multivariate 
equations. For the Rijndael S-box we counted 23 equations and, in total, 
81 different monomials. Therefore, it has T = (29/4)® 2^^'® and Tcp = 

(81/8)^ ~ 2^®'^. The 16 equations system has T = (65/8)® ~ 2^^-^ and 
Tcp = (81/8)® ~ 2 ^® ®. Compared with the relation of the computational 
effort of the SAT solver for the MQ for 23 and 16 equations respectively, the 
T values for the 16 equation system are exaggerated. 

To generate a harder to solve equation system Cui et al. [6] have intro¬ 
duced a more complicated Rijndael S-box structure which they name Afhne- 
Inverse-Afhne (AIA) structure. This S-box will be explored in detail in the 
next two sections. 


6 MQ of the AIA structure S-box in Sage 

In Cui, Huang, et al. (2011) [7], a new Rijndael S-box structure named 
Affine-Inverse-Affine (AIA) is designed supposed to increase the algebraic 
complexity of said S-box. Questioning this claim, we considered it worthwhile 
to try and check their calculations and assertions. 

A different afhne transformation (2) with a = ’5B' and b = ’5D’ is chosen. 
This transformation is applied before and after the inversion step: 

5'aia(x) = AoI oA = A(J(A(x))) 

Cui et al. [6] derive a multivariate quadratic equation system of Raia 
using the coefficients of the polynomial expression of the S-box. They write 
down the equation system with indices for rounds and input bytes for the 
AES algorithm (but never use them). The round indices will be omitted here 
as they don’t matter in what follows. As before, by x is denoted the input 
byte variable of the S-box function. Intermediate variables are denoted by 
yo, yi, ..., y 253 and the output variable by z. According to the polynomial 
expression of the new AIA S-box, the S-box transformation can be described 
by the following quadratic equations over GF(2®); 

f xyo = 1 

I Ym yo = Ym+i, for 0 < m < 252 and y 253 = x (10) 

[ z = ^(yo,yi,---,y252,x) 

Cui et al. [6] dehne the function g by the polynomial expression of their S- 
box. We calculated the coefficients for the polynomial expression of Raia (hs 


^Parameter n could be interpreted as number of dependent variables, see sectioir 6. 
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Lagrange polynomial) in Sage‘s and tabulate them in Listing 8 . Thereby, the 
function g reads 


^(yo,yi,---,y252,x) = 

'FA' + T2’ X + ’26’ y252 + ... + ’E5’ y2 + ’A9’ yi + ’A6’ yo 

(The coefficients of Cui et al. [6] as listed in their Table 1 which in turn 
corresponds to Table 3 in Cui, Huang, et al. [7] are wrong and don’t represent 
the polynomial expression of their S-box S'aia, although, Cui, Huang, et al. 
list in their preceding Table 2 , correctly, the output values of S'aia-) 

The equation system (10) can be modeled in Sage with the help of the 
preparatory code shown in Listing 7: 

Listing 7: Preparation for equation system of AIA S-box 
nb = 8 
ny = 253 

varlxz = [c + str(p) for c in ’xz’ for p in range(nb)] 
varly = f’y’ + str(p) for p in range(nb*ny)] 

B = BooleanPolynomialRing (names = varlxz + varly) 

B. inject_variables () 

P.<p> = PolynomialRing (B) 

Byte.<t> = P. quotient_ring (p~8 + p~4 + p~3 + p + 1) 

X = B. gens () [:nb] 

Z = B. gens () [nb : ] [: nb] 

YY = [B. gens () [(2 + m)*nb : ] [:nb] for m in range(ny)] 

X = Byte(list(X)) 
z = Byte(list(Z)) 

yy = [Byt e (li St (_Y)) for _Y in YY] 

In lines 3 and 4 lists of strings for the names of coefficients for the byte 
variables x, z, and yo, ..., y 252 are generated. 

Then, as in Listing 1, in line 5 a Boolean polynomial ring for these co¬ 
efficients is constructed, assigning GF{2) properties to them, in line 6 the 
coefficients are made available as variables and in line 7 a polynomial ring 
over the Boolean polynomial ring B is constructed and from that in line 8 , 
eventually, the quotient ring Byte with modulus m{t). 

In lines 9 to 11 tuples of the coefficient variables of the byte polynomials 
are created for convenience. For the y-variables the coefficients are grouped 
byte-wise in sub-lists. In the last three lines, hnally, the polynomials of 
the byte variables are dehned using these tuples as arguments for the Byte 
constructor. For the y-variables a list of polynomials is used. 

"^The Sage code comprises some twenty lines and is accessible at SageMathCloud [-5]. 
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In the next Sage code block (Listing 8 ), the coefficients of the polynomial 
expression of S'aia are given in hexadecimal notation as a list of strings which 
is transformed to a list of the constant polynomials that enter g ( 11 ); 

Listing 8 : Generating constant polynomials of AIA S-box 


sbt = [ 


’FA 

12 

26 

E7 

9A 

C7 

DB 

79 

56 

01 

D3 

59 

52 

ED 

97 

C9 ’ , 

’47 

46 

FC 

7C 

5A 

50 

49 

BF 

F4 

F8 

63 

C8 

82 

IB 

EE 

74 ’ , 

’3B 

5D 

F8 

02 

2D 

64 

lA 

15 

BA 

DB 

59 

FE 

FB 

D6 

97 

FF ’ , 

’ AB 

3F 

B4 

09 

32 

77 

AB 

52 

4D 

96 

D5 

BB 

DE 

30 

DE 

05 ’ , 

’ 62 

23 

7C 

69 

66 

75 

9F 

E9 

9B 

60 

88 

2F 

D1 

8F 

09 

F4 ’ , 

’ IE 

EF 

C4 

48 

OD 

A5 

AE 

7A 

38 

9B 

71 

F2 

9F 

44 

B3 

99 ’ , 

o 

CN 

C5 

13 

12 

19 

C2 

5F 

5B 

AD 

FA 

D5 

49 

7B 

F8 

16 

07 ’ , 

’B6 

75 

E9 

BO 

CA 

E8 

83 

Cl 

4E 

75 

C5 

5E 

91 

07 

86 

BF ’ , 

’ 6F 

C2 

25 

35 

D3 

7F 

CC 

OD 

AC 

7A 

C9 

EC 

D2 

3F 

C3 

21 ’ , 

’7E 

A9 

2A 

6D 

A8 

66 

F8 

7D 

D2 

IB 

FE 

CD 

58 

64 

25 

DA ’ , 

’ AE 

49 

2D 

4F 

OC 

74 

F2 

42 

4A 

87 

42 

9B 

83 

50 

FI 

91 ’ , 

’Cl 

02 

4F 

2A 

C9 

19 

37 

59 

D5 

74 

8D 

OB 

20 

C5 

AF 

28 ’ , 

’47 

FB 

09 

87 

10 

6A 

3B 

C8 

8B 

08 

5B 

8B 

13 

OE 

73 

7E’ , 

’FA 

45 

85 

18 

D5 

90 

4E 

71 

E6 

F2 

BF 

EE 

30 

E9 

99 

54’ , 

o 

CO 

63 

8F 

03 

92 

91 

OC 

43 

09 

66 

E5 

76 

6A 

93 

87 

E4 ’ , 

’ 6C 

6A 

87 

Al 

CB 

64 

AA 

5C 

FB 

05 

5A 

DE 

E5 

A9 

A6 

00 ’] 

bt = 


) 

join 

(sbt) . 

, split ( ) 








bp = 

^ [Byt 

e (ZZ (_ , 

, 16) . 

bits ()) 

f 

or 

in 

s 

bt ] 




In the last line of this code block each two-digit hexadecimal number in 
the table represented by a two character string is converted into a decimal 
number by the code fragment ZZ(_, 16). Appending .bitsO transforms it 
into a list of Os and Is, a big-endian binary representation of the hexadecimal 
number. Applying the Byte constructor gives the corresponding constant 
polynomial. 

With these preparations the equation system (10), (11) of the AIA S-box 
(equation 9 in Cui et al. [ 6 ]) can be modeled in Sage as shown in Listing 9. 

Listing 9: Equation system of AIA S-box in Sage 
g = sbp [0] + sbp [1] * X \ 

+ sum (sbp [2 + ni] * yy[ny-l-m] for m in range(ny)) 
yy. append (x) 

E9 = [x * yy [0] + 1] 

E9. extend (yy [m] * yy [0] + yy[m+l] for m in range(ny)) 

E9. append (z + g) 

mq3 = flatten ([_.list() for _ in E9])[l:] 

In the last line the hrst term (the f°-coefficient of xyo -|- 1) is discarded since 
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it is only true with probability 255/256 (false if x = 0). Using this Sage 
model we evaluate some metrics of this MQ as before. This gives for the 
new AIA S-box 2,039 equations, with between 3 and 1,034 monomials per 
equation. These equations have in total 18,232 different monomials. In order 
to apply the criteria of section 5, the intermediate variables also were taken 
into account by interpreting the parameter n in the dehnitions (8) and (9) 
as the number of dependent variables. Hence, the number 8 x 254 is used 
as n, and not only 8. This results in T = (16,193/2,032)® 2^"^'° and 

Tcp = (18,232/2,032)® 2^®'® as estimation for RAA.^ 

Also, the CPU time to evaluate all 256 solutions of this MQ with a SAT 
solver is ca. 7 s, which is 12 (i^ 2^) times as long as for the original Rijndael 
S-box. 

Cui et al. [6] count a totally different number of equations and terms based 
on the byte variables, not on their polynomial coefficients, which contradicts 
the scheme applied to the Rijndael S-box with which they compare, and 
therefore, is misleading. 

Further, this method used by Cui et al. [6] to derive an MQ for their AIA 
S-box applies to any S-box using the coefficients of its polynomial expression. 
This illustrates that the resulting numbers of equations and terms are decep¬ 
tive as criterion for the estimation of algebraic attack resistance and inapt to 
differentiate the quality of byte S-boxes. To substantiate this point, we have 
derived such an MQ for the original Rijndael S-box by using its polynomial 
expression in equation (10). The function g then reads 

^SRD (yo,yi,...,y252,x) = 

’63' -|- '8F’ yi27 -|- ’B5' yes + 'OT ysi -|- 'F4’ yis -F ’25' yy -F (12) 
'FQ'ys -F '09'yi -F '05'yo 

The same Sage code (Listings 7, 8, and 9) was used with an adapted table of 
the polynomial expression coefficients in accordance with equation (12). This 
MQ of the Rijndael S-box exhibits the same number of equations with the 
same number of different monomials as the MQ of S'aia resulting in equally 
high, misleading T values. Also, the SAT solver needs the same 7 s CPU 
time to hnd the solutions of this MQ. 

In contrast, we will show in the next section how to derive, aided by 
computer mathematics, a much simpler MQ for the AIA S-box which shows 
that its resistance against algebraic attacks according to the effort of a SAT 
solver not really exceeds that of the original Rijndael S-box. But the RAA 
criteria exaggerate the hardness of that simpler MQ. 

^Formal application of n = 8 yields unlikely high values: F Ri and Fcp « 
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7 Concise MQ for the AIA S-box in Sage 


Building on the Sage code presented so far we derive a much simpler MQ 
for the AIA S-box. Its resistance against algebraic attacks according to the 
RAA criterion should be greater than that of the original Rijndael S-box but 
over-estimates the time it takes to solve the system with a SAT solver. 

For the inversion step we now use, temporarily, two intermediate byte 
variables yo and yi, named yy[ 0 ] and yy[l] in the Sage code. Their coeffi¬ 
cients shall be I/O,..., 1/7 and //s,..., 1 / 15 , respectively. The three steps of the 
AIA S-box are 

z = -4(yi), yi = /(yo), yo = A(x) 

Beginning with the inversion step we hrst model 



— yi yo 

yP® 

- yo yi 

y^ 

= yoyi 

y? 

= yfyo 


(13) 


The last two equations in (13) are the only other additional (fully quadratic) 
MQ (besides yoyi = 1) for the inversion as stated already by Courtois and 
Pieprzyk in the extended version of [8] (compare also Cheon and Lee [11]). 
These additional equations are necessary to completely dehne the S-box S'aia- 
Without them the system is under-dehned, as, for example, the solution with 
a SAT solver shows. In Sage the equations (13) read 

ElO = yy[0]~128 + yy[l]~128 * yy [0] 

Ell = yy[l]~128 + yy[0]~128 * yy [1] 

E12 = yy[0]~3 + yy [0] ~4 * yy [1] 

E13 = yy[l]~3 + yy [1] ~4 * yy [0] 

The linear transformations according to equation (2) are 

yo = axmod(t® -I-1)-t- b (14) 

yi = a^(z -I- b) mod(t® -I-1) (15) 

with a = '5B’ (hence a® mod(t®-|-l) = 1) and b = ’5D’ . In Sage we formulate 

Listing 10: Generate dictionary to substitute y variables 

1 Baff.<u> = P . quotient_riiig (p~8 + 1) 

2 a = Baff (ZZ (’0x5B’). bits 0 ) 

3 b = Baff (ZZ (’0x5D’). bits 0 ) 

4 eqsl4 = dict(zip(YY [0] , a * Baff(x) + b)) 

5 eqsl4. update (zip(YY[1] , a~7 * (Baff(z) + b))) 
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The right hand sides of equations (14) and (15) enter Listing 10 in the two 
last lines. Both their coefficients are inserted into the same dictionary eqsl4. 
Applying this substitutions in Sage to get rid of the intermediate byte vari¬ 
ables is straight forward 


eqslO = [ 

_. subs (eqs14) 

for 

in 

ElO.list ()] 

eqsll = [ 

_. subs (eqs14) 

for 

in 

Ell.list ()] 

eqsl2 = [ 

_. subs (eqs14) 

for 

in 

E12.list ()] 

eqsl3 = [ 

_. subs (eqs14) 

for 

in 

E13.list ()] 

and gives already the final, concise MQ for the S-box Raia: 


mq5 = eqslO + eqsll + eqsl2 + eqsl3 

For this MQ counting the numbers of equations and monomials in Sage is 
done as before. It has 32 equations, with between 33 and 60 monomials 
per equation and 137 different monomials in total. This makes according to 
dehnitions (8) and (9) T = (105/8)^^ ~ 2®^ and Tcp = (137/8)^ ~ 2^°-^. 

Nonetheless, the SAT solver takes ca. 0.8 s CPU time on the same com¬ 
puter (2.8 GHz CPU, 8 GB RAM) to find all and only 256 solutions for this 
MQ. The evaluation of its Grobner basis takes ca. 16 s. The GB has 8 equa¬ 
tions of degree 7 with 263 different monomials and its solution with a SAT 
solver is obtained as fast as that of the GB of the Rijndael S-box. Glearly, 
the values of the hardness criteria do not correlate with the effort of the SAT 
solver for this MQ. 

For comparison and as an additional reference value for the RAA estima¬ 
tion, we have derived such an MQ with 32 equations for the original Rijndael 
S-box using the four equations (13) (replacing yo by x and yi by y) and its 
affine transformation (5) (with a = TF’, b = ’63’). This MQ has the same 
number of equations and the same number of different monomials, thus, the 
same values for the hardness criteria as that of Faia- The solution with the 
SAT solver of this MQ for the original Rijndael S-box takes the same GPU 
time as the solution of the 32 equation MQ of Aaia, namely, ca. 0.8 s. This 
shows how Sage can easily be used to disprove the practicality of the hardness 
criteria. 


8 Conclusion 

SageMath is a very appropriate, powerful computer mathematics tool to an¬ 
alyze cryptographic problems formulated with byte variables as polynomials 
in a quotient ring. Sage draws its strength in this area mainly from the 
integration of the BRiAl, former PolyBoRi, library [1, 12]. 

We have used Sage to demonstrate how to produce various polynomial 
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Multivariate Quadratic equation systems (MQ) as well as their Grobner basis 
for the Rijndael S-box Srd and similar S-boxes in a simple and straightfor¬ 
ward manner. Using the flexible structures and interface of Sage one can 
easily evaluate metrics of the resulting polynomial systems, like the number 
of different monomials in the system, the length of the equations, the fre¬ 
quency of the appearance of certain terms or variables in equations etc. With 
this facility we generated the necessary inputs for the application of estima¬ 
tions of the Resistance against Algebraic Attacks (RAA) proposed by Cui et 
al. [6] or by Courtois and Pieprzyk [8]. Parallelly, we performed numerical 
experiments by solving the corresponding MQ with a SAT solver using the 
required computing time as a measure for the RAA. 

Our results in this respect are revealing. We couldn’t validate the pre¬ 
dicted reduced hardness for a system to solve with increasing number of 
equations and number of independent monomials in the polynomial systems 
which both the formulas forecast. There is in fact a slight increased solver 
effort when one reduces from the 23 Rijndael S-box equations to the 16 but 
quantitatively this is badly represented in both formulas. 

Cui et al. constructed a complicated algebraic expression for a new Rijn¬ 
dael S-box Saia (starting from its Lagrange polynomial expression with 255 
coefficients) which necessarily leads to a great number of equations and in¬ 
dependent monomials in the resulting MQ. On this basis they thought they 
have demonstrated a remarkable new S-box practically not possible to solve 
according to the here discussed and by us dismissed RAA formulas. However 
there are gaps in their concept arising from inconsistency in their comparison 
principle as well as the lack of thoroughness in the investigation of the prop¬ 
erties of the new algebraic expression which we showed can be equivalently 
written in a much simpler form leading to a polynomial system nearly as 
easy solved as that of the original Rijndael S-box. 

We also mapped the original Rijndael S-box with its 9 Lagrange coeffi¬ 
cients on the AIA form of Cui et al. which gave us as result the same huge 
number of variables and multitude of polynomials which should manifest that 
this is no way to create especially hard cryptographic S-boxes. 

We presented how to show with SageMath that the, by Cui et al. so called, 
improved S-box Saia is in fact not even marginally an improvement. 

Table 1 gives a survey of the MQ and the results of the algebraic attack 
resistance estimations scrutinized in this work. 

We conclude, that in order to assess the resistance of an S-box against 
algebraic attacks it is not sufficient to derive some multivariate quadratic 
equation system and analyze it. Instead one would have to show that the 
derived MQ is optimal and superior to its Grobner basis for solving and, 
thus, attacking it or the cipher it is used in. 
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S-box 

RD 

RD 

MQ 

AIA/RD 

AIA/RD 

Grobner 

AIA/RD 

maximal degree 

2 

2 

2 

2 

7 

# equations 

23 

16 

2,039 

32 

8 

ff monomials 

81 

81 

18,232 

137 

263 

# dependent variables 

8 

8 

2,032 

8 

8 

iog2(r) 

22.9 

27.2 

24.0 

52.0 

- 

iog2(rcp) 

13.4 

20.0 

28.5 

20.5 

- 

SAT solver CPU time 

0.6 s 

0.7 s 

7s 

0.8 s 

0.15 s 


Table 1: Survey of S-box MQ and estimations of their RAA. 
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